27.4.3.2 To Monitor Inbound SMTP Connections

External user relaying mail:
Look in msg-svr-base/log/mail.log_current for
records with the logging entry code J (rejected relays).
To turn on logging of remote IP addresses add the following line to the option.dat file:

log_connection=1

Note that there is a slight performance trade-off when this feature
is enabled.

Service denial attack:
To find out who and how many users are connecting to the SMTP servers, you
can run the command netstat and check for connections at the SMTP port (default: 25). Example:

Note that you will first need to determine the appropriate number of
SMTP connections and their states (ESTABLISHED, CLOSE_WAIT, etc.) for your system to determine if a particular reading is
out of the ordinary.

If you find many connections staying in the SYN_RECEIVED state this might be caused by a broken network or a denial
of service attack. In addition, the lifetime of an SMTP server process is
limited. This is controlled by the MTA configuration variable MAX_LIFE_TIME in the dispatcher.cnf file. The default is 86,400
seconds (one day). Similarly, MAX_LIFE_CONNS specifies
the maximum number of connections a server process can handle in its lifetime.
If you find a particular SMTP server that has around for a long time you may
wish to investigate.